The Data Protection Supervisory Authority for the state of Berlin (Die Berliner Beauftragte für Datenschutz und Informationsfreiheit, “Supervisory Authority”) recently issued a fine for GDPR violations against Germany’s second largest housing company Deutsche Wohnen SE (“DW”) for retaining personal data without legal justification. The amount of the fine, EUR 14.5m, is the highest issued by a German Supervisory Authority for data protection infringements so far and the first to be in the millions. Germany is thus following the trend of increasing fines set by other EU Member States’ authorities, such as the UK, France and Austria in particular. READ MORE
Dr. Christian Schröder heads Orrick's IP/IT & Data Privacy Practice Group in Germany in Orrick’s Düsseldorf Office. Christian advises medium sized (Mittelstand) companies to large multinationals on IP, Unfair and Deceptive Trade Practices, E-Commerce, IT and Data Privacy/Data Protection.
He is listed in Germany's leading lawyer ranking magazine JUVE as frequently recommended data privacy expert and clients recommend him to JUVE for his "reliable and actionable advice". Christian and his practice are also ranked by The Legal 500 Germany and The Legal 500 EMEA as well as Germany’s business journals WiWo and Handelsblatt for being among the leading German and European IT and data privacy practices (2019 and 2020), clients referred to him and his team as "Top data privacy expert", "extremely knowledgeable", and "able to explain complex legal issues in an easily understandable way so that both legal and economic decisions can be made". Christian Schröder is recommended for his "data protection expertise and quick comprehension as well as his entrepreneurial acumen."
Christian provides IP/IT advice in M&A transactions and advises on IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues as well as on hard and software license and IT project agreements.
As a core member of Orrick's global Cyber, Privacy & Data Innovation practice, Christian has a special focus on data privacy/data protection matters. In particular, Christian advises on privacy compliance programs, a risk-based approach to privacy, on implementing databases and new software applications, in particular, cloud based solutions. He advises on IT and data privacy contracts, internal data privacy policies, binding corporate rules, user agreements on BYOD, whistleblowing schemes, e-discovery, security breaches, and intra-group data sharing on a national and international basis. Christian regularly represents market leading clients in IT and data privacy contract negotiations and regularly defends companies against unfair access to their know-how by competitors and against unfair poaching of customers and employees.
Posts by: Christian Schröder
EUR 30,000 for “a simple cookie banner”?!? – Spanish Supervisory Authority fines airline for non-compliance
The Spanish supervisory authority agencia española protección datos (“Supervisory Authority”) has issued a fine (the original Spanish document can be accessed here) against an airline based on their use of a cookie banner, which the Supervisory Authority considered not to be compliant with privacy provisions.
In issuing the fine, the Supervisory Authority referred to Art. 22.2 of the Spanish Act of the Services of the Information Society and Electronic Commerce (Ley de Servicios de la Sociedad de la Información—“LSSI”) rather than the General Data Protection Regulation (“GDPR”). Art. 22.2 LSSI is based on the ePrivacy Directive, which is still in effect and is not replaced by the provisions of the GDPR—we note, however, that the ePrivacy Directive would likely be replaced by the provisions of the proposed ePrivacy Regulation, which is still being negotiated.
This fine highlights the European data protection authorities’ continued concern over the collection of personal information through cookies and other tracking technologies and should thus attract the attention of companies that provide websites to customers in the EU. The decision might set the standard for fines on the lack of consent for cookies and is in line with the rather conservative view of the European Court of Justice (“CJEU”) in its recent court decision, which explicitly referred to the GDPR (please also see our blog post on the CJEU’s decision). READ MORE
E-Commerce Businesses Beware: The Freedom to Contract does not Trump Reasonable Privacy Expectations
The EDPB’s new Guidelines on Article 6(1)(b) may severely limit e-commerce business’ ability to enhance data processing by unilaterally defining contractual services.
On October 8, 2019, the European Data Protection Board (“EDPB”) released the “Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects” (the “Guidelines”) after public consultation. The text of the Guidelines is available here. Largely in line with previous guidance, the EDPB takes the view that companies cannot expand legal justifications for data processing operations based on broader definitions of their services. The legal justification of a processing for performing a contract does not cover processing operations, which, reasonably, the individuals would not expect when entering into the contract. Businesses should thus carefully review the legal justifications for the processing operations and be prepared to consider limitations on certain data processing should individuals object. READ MORE
No Consent, No Cookie! CJEU Issues Far-Reaching Decision on Cookie Consent
In its long-awaited judgment, the European Court of Justice (CJEU) decided the data protection requirements for obtaining consent when using cookies. The court held that “passive” acceptance of cookies through prechecked boxes, or by posting a banner and assuming consent with continued browsing of the website, is not an acceptable form of consent. According to the CJEU, “consent” requires active behavior in the form of interaction with the banner, or some other affirmative action indicating consent. The court held that website operators must ensure this level of consent prior to placing any cookies that require consent for storing or accessing information stored on the user’s device. The court’s decision removes all legal ambiguities on the level of consent required for cookies, and website operators are wise to review their use of cookies as a result.
This alert will analyze the CJEU’s decision, provide a summary of the current regulators’ views and give practical guidance on what website operators should do. READ MORE
New law decreases the number of companies required to designate a Data Protection Officer in Germany
On June 28, 2019, the German parliament (Bundestag) passed new legislation imposing several changes to the current German Federal Data Protection Act (“BDSG”). Although many of the changes addressed privacy aspects of criminal proceedings, the new legislation makes an important change for small companies by increasing the threshold to designate a Data Protection Officer (“DPO”). Whereas currently companies have to designate a DPO if they constantly employ at least 10 employees who deal with the automated processing of personal data, the new legislation increases the minimum number of employees from 10 to 20, significantly decreasing the financial and administrative burden for small companies doing business in Germany. This article explains the changes and their impact and explains what companies should do.
Bavarian Data Protection Supervisory Authority Concludes After “Safer Internet Day Raid” that Investigated Companies Fail to Obtain Appropriate Cookie Consent
The Bavarian Data Protection Authority (“BDPA”) took the “safer internet day” in February 2019 as an opportunity to conduct privacy checks on website operators. The focus was on “cybersecurity” (in particular, password security) and “tracking” and the outcome is rather disillusioning, according to the BDPA. The BDPA stated that necessary security measures were not implemented and none of the cookie banners obtained valid consent. The BDPA announced it would conduct further checks via written procedures or even by on-site inspections to validate the quick check results and assess whether further actions must be taken. In those cases where the BDPA is not competent, the BDPA will consider reaching out to competent lead supervisory authorities where necessary so that they can provide their insights. READ MORE
World’s “Largest Area of Safe Data Flow” Created by Japan and the European Union
The EU-Japan Economic Partnership Agreement between Japan and the European Union (“EU”) recently came into force, creating the world’s biggest open trading zone that covers 635 million people and almost one-third of the world’s total GDP. In the shadow of that agreement, however, another development—the mutual acknowledgment of data protection standards—took place, which should not be overlooked because it sets another world record. On January 23, 2019, the European Commission adopted its adequacy decision on Japan, acknowledging that Japan provides for an adequate level of data protection. Similarly, effective January 23, 2019, the Japanese independent data protection authority, the Personal Information Protection Commission (“PPC”), has also designated countries within the European Economic Area as having an equivalent level of data protection. This mutual acknowledgement created what is being referred to as the “largest area of safe data transfer” in the world.
These developments have important benefits for companies transferring data from the EU to Japan and vice versa, reducing burdens and giving companies greater access to customers. Below, we discuss the developments and describe what companies should consider in the future. READ MORE
Google to Pay $57 Million for GDPR Violations
On January 21, 2019, the French data protection supervisory authority (“CNIL”) fined Google €50 million (approximately $57 million) for violating the European General Data Protection Regulation (“GDPR”). The fine penalizes Google for failing to comply with the GDPR’s transparency and notice requirements, and for failing to properly obtain consent from users for ads personalization. This is the largest GDPR fine imposed to date and the first action against a major global tech player. The CNIL’s decision sends an important message to companies that tough enforcement actions are not just a theoretical threat. Companies should look closer at data protection compliance and particularly work on their notices and consent forms. READ MORE
Guidance on Direct Marketing Issued by the German Data Protection Supervisory Authorities
In November, the German Data Protection Conference (committee of the independent German federal and state data protection supervisory authorities) (“DSK”) published a guidance on the processing of personal data for direct marketing purposes under the GDPR. This guidance finally brings some light into the darkness of marketing under the GDPR. READ MORE
European Court Restricts Employer Access to Employee’s Private Communications
(Editors’ note: Thanks to Orrick trainee associate, Arne Senger, for his help with this blog post.)
With its recent ruling in Bărbulescu v. Romania (application no. 61496/08), the Grand Chamber of the European Court of Human Rights (ECHR) made a decision of enormous impact for employers in Europe. The decision makes clear that even when private use of business resources is prohibited, employers do not have unlimited access to all communications that occur on corporate systems.
Companies should carefully review their policies to ensure that they can access their corporate IT equipment, at least to the extent permitted by European data privacy law. READ MORE